ci: run datatracker pod as non-root user (#7366)

* feat: patch_libraries management command * ci: Patch libraries in docker img build * ci: non-root datatracker user * ci: securityContext for datatracker pod
2024-04-25 17:24:26 -03:00 · 2024-04-25 17:24:26 -03:00 · c8ee43da95
parent 30a4a5a77b
commit c8ee43da95
3 changed files with 53 additions and 30 deletions
--- a/dev/build/Dockerfile
+++ b/dev/build/Dockerfile
@ -3,6 +3,9 @@ LABEL maintainer="IETF Tools Team <tools-discuss@ietf.org>"

 ENV DEBIAN_FRONTEND=noninteractive

+RUN groupadd -g 1000 datatracker && \
+    useradd -c "Datatracker User" -u 1000 -g datatracker -m -s /bin/false datatracker
+
 RUN apt-get purge -y imagemagick imagemagick-6-common

 # Install libreoffice (needed via PPT2PDF_COMMAND)
@ -15,7 +18,8 @@ COPY ./dev/build/start.sh ./start.sh
 COPY ./dev/build/datatracker-start.sh ./datatracker-start.sh
 COPY ./dev/build/celery-start.sh ./celery-start.sh

-RUN pip3 --disable-pip-version-check --no-cache-dir install -r requirements.txt
+RUN pip3 --disable-pip-version-check --no-cache-dir install -r requirements.txt && \
+    ietf/manage.py patch_libraries

 RUN chmod +x start.sh && \
    chmod +x datatracker-start.sh && \
--- a/helm/values.yaml
+++ b/helm/values.yaml
@ -67,9 +67,6 @@ datatracker:
  podAnnotations: {}
  podLabels: {}

-  podSecurityContext: {}
-    # fsGroup: 2000
-
 #readinessProbe:
 #  httpGet:
 #    # /submit/tool-instructions/ just happens to be cheap until we get a real health endpoint
@ -90,13 +87,17 @@ datatracker:
    #   cpu: 100m
    #   memory: 128Mi

-  securityContext: {}
-    # capabilities:
-    #   drop:
-    #   - ALL
-    # readOnlyRootFilesystem: true
-    # runAsNonRoot: true
-    # runAsUser: 1000
+  podSecurityContext:
+    runAsNonRoot: true
+
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
+    runAsUser: 1000
+    runAsGroup: 1000

  service:
    type: ClusterIP
@ -132,17 +133,9 @@ datatracker:
    - name: datatracker-shared-volume
      persistentVolumeClaim:
        claimName: "datatracker-shared-volume-claim"
-# cache-volume and staging-volume are a hack to create paths for debugging without a /a volume
-#    - name: cache-volume
-#      emptyDir:
-#        sizeLimit: 1Gi
-#    - name: staging-volume
-#      emptyDir:
-#        sizeLimit: 1Gi
-  # - name: foo
-  #   secret:
-  #     secretName: mysecret
-  #     optional: false
+    - name: datatracker-tmp
+      emptyDir:
+        sizeLimit: "2Gi"

  # Additional volumeMounts on the output Deployment definition.
  volumeMounts:
@ -152,14 +145,8 @@ datatracker:
      readOnly: true
    - name: datatracker-shared-volume
      mountPath: /a
-# cache-volume and staging-volume are a hack to create paths for debugging without a /a volume
-#    - name: cache-volume
-#      mountPath: "/a/cache"
-#    - name: staging-volume
-#      mountPath: "/test/staging"
-  # - name: foo
-  #   mountPath: "/etc/foo"
-  #   readOnly: true
+    - name: datatracker-tmp
+      mountPath: /tmp

  tolerations: []

--- a/ietf/utils/management/commands/patch_libraries.py
+++ b/ietf/utils/management/commands/patch_libraries.py
@ -0,0 +1,32 @@
+# Copyright The IETF Trust 2024, All Rights Reserved
+import django
+import os
+
+from django.conf import settings
+from django.core.management.base import BaseCommand, CommandError
+from pathlib import Path
+
+from ietf.utils import patch
+
+
+class Command(BaseCommand):
+    """Apply IETF patches to libraries"""
+    requires_system_checks = tuple()
+
+    def handle(self, *args, **options):
+        library_path = Path(django.__file__).parent.parent
+        top_dir = Path(settings.BASE_DIR).parent 
+
+        # All patches in settings.CHECKS_LIBRARY_PATCHES_TO_APPLY must have a
+        # relative file path starting from the site-packages dir, e.g.
+        # 'django/db/models/fields/__init__.py'
+        for patch_file in settings.CHECKS_LIBRARY_PATCHES_TO_APPLY:
+            patch_set = patch.fromfile(top_dir / Path(patch_file))
+            if not patch_set:
+                raise CommandError(f"Could not parse patch file '{patch_file}'")
+            if not patch_set.apply(root=bytes(library_path)):
+                raise CommandError(f"Could not apply the patch from '{patch_file}'")
+            if patch_set.already_patched:
+                self.stdout.write(f"Patch from '{patch_file}' was already applied")
+            else:
+                self.stdout.write(f"Applied the patch from '{patch_file}'")